help on suspicious html code..

They have: 6 posts

Joined: Aug 2003

hello there..
i'm just wondering how the hell this code appeared on all of the html files in my website in my local drive..
the code appears after the REAL code of the html file.

<HTML>
<BODY onload="vbscript:KJ_start()">
&lt;script language=vbscript&gt;
document.write "<div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'><"&"APPLET NAME=KJ"&"_guest HEIGHT=0 WIDTH=0 code=com.ms."&"activeX.Active"&"XComponent></APPLET></div>"
&lt;/script&gt;
&lt;script language=vbscript&gt;
ExeString = "virus removed"
Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 2"&vbCrLf&"KeyArr(1) = 8"&vbCrLf&"KeyArr(2) = 8"&vbCrLf&"KeyArr(3) = 4"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next")
Execute(ThisText)
&lt;/script&gt;
</BODY>
</HTML>
'

i was just thinking if this was done by my HTML editor..
i'm using Dreamweaver MX and there was one time when i opened my site, Dreamweaver displayed several error messages (javascript errors) even before opening..
hope you could help me on this..
as a temporary solution, i have already manually erased all the "extra" scripts on my pages and i'm now editing my pages on notepad..

i also have my site running on Yahoo Geocities..
i also use redirection from CJB.net..
is it possible that either one these two put the code on the html files for advertisment purposes?

by the way, the address is http://www.geocities.com/ustchem2003
or http://ustchem2003.cjb.net (with redirection)

thanks for the help guys..
Smiling

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

I don't think CJB.net put anything on your site for they only do redirecting but its quite possible that Geocities did.

druagord's picture

He has: 335 posts

Joined: May 2003

I am no specialist but this look like some malicious code. I suggest you make sure a worm didn't get a old of your pc

They have: 6 posts

Joined: Aug 2003

as far as i know, i don't think my pc's been attacked by such things..
well, there's this very annoying virus that makes a hidden copies of desktop.ini and folder.htt in almost every folder of my drive.. do you think this would have caused the code??

They have: 39 posts

Joined: Jul 2002

Hi,

If you have one virus, you may have others. Get rid of them. Try an online virus scanner if you don't have a virus protection program.

Make sure you are ftping in the correct format. If you open your file in any other editor, notepad, word, etc, this may also sometimes cause similar problems.

Hope this helps.

Leah | Idologic.com
Reseller, Dedicated, and Co-Lo Solutions

Vincent Puglia's picture

They have: 634 posts

Joined: Dec 1999

Hi,

On the non-paranoid level: Was the page originally on the net? Did you upload and then download it, not necessarily during the same session?
the reason I ask: once or twice when uploading pages to my site I identified them as the wrong type in the ftp agent. The result was half text, half code.

Vinny

Where the world once stood
the blades of grass cut me still

They have: 461 posts

Joined: Jul 2003

i have a question, what is it about this particular thread that had my virus scanner catch a malicious script upon it's loading.
i've checked. it is JUST this thread (mcafee virus scan 7.0)

name: VBS/Redlof@M

POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.

He has: 296 posts

Joined: May 2002

Because of the code above. Its most likely the virus that McAfee is finding.

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Quote: Originally posted by jowp
well, there's this very annoying virus that makes a hidden copies of desktop.ini and folder.htt in almost every folder of my drive.. do you think this would have caused the code??

Yes you do have a virus, its called MS Windows, it does that.

MS Word does that too with the default.dot file, check your hard drive for it. Laughing out loud

jammin's picture

They have: 222 posts

Joined: Sep 2002

yup its a virus, and norton had a field day when i opened this post.

Quote: HTML.Redlof.A is a polymorphic, encrypted, Visual Basic Script virus that infects .html, .htm, .asp, .php, .jsp, and .vbs files on all drives. Depending on the location of the Windows System folder, the virus copies itself to either %windir%\System\Kernel.dll or %windir%\System\Kernel32.dll. It changes the default association for .dll files.

go here for more info on it. seems annoying.

and if you dont have antivirus software then go to this site to scan for free. I have to warn you though, it may take a while on slower internet speeds.

good luck getting rid of the virus, and when you do get rid of the virus be sure to tell anyone you may have e-mailed that they too may be infected, since this virus is spread by e-mail.

anyone can do any amount of work provided it isnt the work they are supposed to be doing.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.